This bug was fixed in the package linux - 5.15.0-88.98 --------------- linux (5.15.0-88.98) jammy; urgency=medium * jammy/linux: 5.15.0-88.98 -proposed tracker (LP: #2038055) * CVE-2023-4244 - netfilter: nf_tables: don't skip expired elements during walk - netfilter: nf_tables: adapt set backend to use GC transaction API - netfilter: nft_set_hash: mark set element as dead when deleting from packet path - netfilter: nf_tables: GC transaction API to avoid race with control plane - netfilter: nf_tables: remove busy mark and gc batch API - netfilter: nf_tables: don't fail inserts if duplicate has expired - netfilter: nf_tables: fix kdoc warnings after gc rework - netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path - netfilter: nf_tables: GC transaction race with netns dismantle - netfilter: nf_tables: GC transaction race with abort path - netfilter: nf_tables: use correct lock to protect gc_list - netfilter: nf_tables: defer gc run if previous batch is still pending - netfilter: nft_dynset: disallow object maps - netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction * CVE-2023-42756 - netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP * CVE-2023-4623 - net/sched: sch_hfsc: Ensure inner classes have fsc curve * PCI BARs larger than 128GB are disabled (LP: #2037403) - PCI: Support BAR sizes up to 8TB * Fix unstable audio at low levels on Thinkpad P1G4 (LP: #2037077) - ALSA: hda/realtek - ALC287 I2S speaker platform support * Check for changes relevant for security certifications (LP: #1945989) - [Packaging] Add a new fips-checks script * Jammy update: v5.15.126 upstream stable release (LP: #2037593) - io_uring: gate iowait schedule on having pending requests - perf: Fix function pointer case - net/mlx5: Free irqs only on shutdown callback - arm64: errata: Add workaround for TSB flush failures - arm64: errata: Add detection for TRBE write to out-of-range - [Config] updateconfigs for ARM64_ERRATUM_ and ARM64_WORKAROUND_TSB_FLUSH_FAILURE - iommu/arm-smmu-v3: Work around MMU-600 erratum 1076982 - iommu/arm-smmu-v3: Document MMU-700 erratum 2812531 - iommu/arm-smmu-v3: Add explicit feature for nesting - iommu/arm-smmu-v3: Document nesting-related errata - arm64: dts: imx8mn-var-som: add missing pull-up for onboard PHY reset pinmux - word-at-a-time: use the same return type for has_zero regardless of endianness - KVM: s390: fix sthyi error handling - wifi: cfg80211: Fix return value in scan logic - net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx - net/mlx5e: fix return value check in mlx5e_ipsec_remove_trailer() - bpf: Add length check for SK_DIAG_BPF_STORAGE_REQ_MAP_FD parsing - rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length - net: dsa: fix value check in bcm_sf2_sw_probe() - perf test uprobe_from_different_cu: Skip if there is no gcc - net: sched: cls_u32: Fix match key mis-addressing - mISDN: hfcpci: Fix potential deadlock on &hc->lock - qed: Fix kernel-doc warnings - qed: Fix scheduling in a tasklet while getting stats - net: annotate data-races around sk->sk_max_pacing_rate - net: add missing READ_ONCE(sk->sk_rcvlowat) annotation - net: add missing READ_ONCE(sk->sk_sndbuf) annotation - net: add missing READ_ONCE(sk->sk_rcvbuf) annotation - net: add missing data-race annotations around sk->sk_peek_off - net: add missing data-race annotation for sk_ll_usec - net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX. - bpf, cpumap: Handle skb as well when clean up ptr_ring - bpf: sockmap: Remove preempt_disable in sock_map_sk_acquire - net: ll_temac: Switch to use dev_err_probe() helper - net: ll_temac: fix error checking of irq_of_parse_and_map() - net: korina: handle clk prepare error in korina_probe() - net: netsec: Ignore 'phy-mode' on SynQuacer in DT mode - net: dcb: choose correct policy to parse DCB_ATTR_BCN - s390/qeth: Don't call dev_close/dev_open (DOWN/UP) - ip6mr: Fix skb_under_panic in ip6mr_cache_report() - vxlan: Fix nexthop hash size - net/mlx5: fs_core: Make find_closest_ft more generic - net/mlx5: fs_core: Skip the FTs in the same FS_TYPE_PRIO_CHAINS fs_prio - prestera: fix fallback to previous version on same major version - tcp_metrics: fix addr_same() helper - tcp_metrics: annotate data-races around tm->tcpm_stamp - tcp_metrics: annotate data-races around tm->tcpm_lock - tcp_metrics: annotate data-races around tm->tcpm_vals[] - tcp_metrics: annotate data-races around tm->tcpm_net - tcp_metrics: fix data-race in tcpm_suck_dst() vs fastopen - scsi: zfcp: Defer fc_rport blocking until after ADISC response - scsi: storvsc: Limit max_sectors for virtual Fibre Channel devices - libceph: fix potential hang in ceph_osdc_notify() - USB: zaurus: Add ID for A-300/B-500/C-700 - ceph: defer stopping mdsc delayed_work - firmware: arm_scmi: Drop OF node reference in the transport channel setup - exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree - exfat: release s_lock before calling dir_emit() - mtd: spinand: toshiba: Fix ecc_get_status - mtd: rawnand: meson: fix OOB available bytes for ECC - arm64: dts: stratix10: fix incorrect I2C property for SCL signal - wifi: mt76: mt7615: do not advertise 5 GHz on first phy of MT7615D (DBDC) - rbd: prevent busy loop when requesting exclusive lock - bpf: Disable preemption in bpf_event_output - open: make RESOLVE_CACHED correctly test for O_TMPFILE - drm/ttm: check null pointer before accessing when swapping - bpf, cpumap: Make sure kthread is running before map update returns - file: reinstate f_pos locking optimization for regular files - fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_load_attr_list() - fs/sysv: Null check to prevent null-ptr-deref bug - net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb - fs: Protect reconfiguration of sb read-write from racing writes - ext2: Drop fragment support - mtd: rawnand: omap_elm: Fix incorrect type in assignment - mtd: rawnand: rockchip: fix oobfree offset and description - mtd: rawnand: rockchip: Align hwecc vs. raw page helper layouts - mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op() - powerpc/mm/altmap: Fix altmap boundary check - drm/imx/ipuv3: Fix front porch adjustment upon hactive aligning - selftests/rseq: check if libc rseq support is registered - selftests/rseq: Play nice with binaries statically linked against glibc 2.35+ - soundwire: bus: pm_runtime_request_resume on peripheral attachment - soundwire: fix enumeration completion - PM / wakeirq: support enabling wake-up irq after runtime_suspend called - PM: sleep: wakeirq: fix wake irq arming - Linux 5.15.126 * Jammy update: v5.15.125 upstream stable release (LP: #2036843) - ia64/cpu: Switch to arch_cpu_finalize_init() - m68k/cpu: Switch to arch_cpu_finalize_init() - mips/cpu: Switch to arch_cpu_finalize_init() - sh/cpu: Switch to arch_cpu_finalize_init() - Linux 5.15.125 - Upstream stable to v5.15.125 * CVE-2023-42755 - net/sched: Retire rsvp classifier - [Config] remove NET_CLS_RSVP and NET_CLS_RSVP6 * CVE-2023-42753 - netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c * CVE-2023-34319 - xen/netback: Fix buffer overrun triggered by unusual packet * CVE-2023-5197 - netfilter: nf_tables: disallow rule removal from chain binding * CVE-2023-4921 - net: sched: sch_qfq: Fix UAF in qfq_dequeue() * CVE-2023-42752 - igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU * Avoid address overwrite in kernel_connect (LP: #2035163) - net: Avoid address overwrite in kernel_connect * NULL Pointer Dereference During KVM MMU Page Invalidation (LP: #2035166) - KVM: x86/mmu: Track the number of TDP MMU pages, but not the actual pages * Fix suspend hang on Lenovo workstation (LP: #2034479) - igb: Fix igb_down hung on surprise removal * [regression] Unable to initialize SGX enclaves with XFRM other than 3 (LP: #2034745) - x86/fpu: Set X86_FEATURE_OSXSAVE feature after enabling OSXSAVE in CR4 * CVE-2023-4881 - netfilter: nftables: exthdr: fix 4-byte stack OOB write * CVE-2023-4622 - af_unix: Fix null-ptr-deref in unix_stream_sendpage(). * Jammy update: v5.15.124 upstream stable release (LP: #2035400) - jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint - KVM: s390: pv: fix index value of replaced ASCE - io_uring: don't audit the capability check in io_uring_create() - gpio: tps68470: Make tps68470_gpio_output() always set the initial value - pwm: Add a stub for devm_pwmchip_add() - gpio: mvebu: Make use of devm_pwmchip_add - gpio: mvebu: fix irq domain leak - btrfs: fix race between quota disable and relocation - i2c: Delete error messages for failed memory allocations - i2c: Improve size determinations - i2c: nomadik: Remove unnecessary goto label - i2c: nomadik: Use devm_clk_get_enabled() - i2c: nomadik: Remove a useless call in the remove function - PCI/ASPM: Return 0 or -ETIMEDOUT from pcie_retrain_link() - PCI/ASPM: Factor out pcie_wait_for_retrain() - PCI/ASPM: Avoid link retraining race - PCI: rockchip: Remove writes to unused registers - PCI: rockchip: Fix window mapping and address translation for endpoint - PCI: rockchip: Don't advertise MSI-X in PCIe capabilities - dlm: cleanup plock_op vs plock_xop - dlm: rearrange async condition return - fs: dlm: interrupt posix locks only when process is killed - drm/ttm: Don't print error message if eviction was interrupted - drm/ttm: Don't leak a resource on eviction error - n_tty: Rename tail to old_tail in n_tty_read() - tty: fix hang on tty device with no_room set - drm/ttm: never consider pinned BOs for eviction&swap - cifs: missing directory in MAINTAINERS file - cifs: use fs_context for automounts - ksmbd: remove internal.h include - cifs: if deferred close is disabled then close files immediately - pwm: meson: Simplify duplicated per-channel tracking - pwm: meson: fix handling of period/duty if greater than UINT_MAX - tracing/probes: Add symstr type for dynamic events - tracing/probes: Fix to avoid double count of the string length on the array - tracing: Allow synthetic events to pass around stacktraces - Revert "tracing: Add "(fault)" name injection to kernel probes" - tracing/probes: Fix to record 0-length data_loc in fetch_store_string*() if fails - scsi: qla2xxx: Remove unused declarations for qla2xxx - scsi: qla2xxx: Multi-que support for TMF - scsi: qla2xxx: Fix task management cmd failure - scsi: qla2xxx: Fix task management cmd fail due to unavailable resource - scsi: qla2xxx: Add debug prints in the device remove path - scsi: qla2xxx: Fix hang in task management - drm/amdgpu: fix vkms crtc settings - drm/amdgpu/vkms: relax timer deactivation by hrtimer_try_to_cancel - phy: qcom-snps: Use dev_err_probe() to simplify code - phy: qcom-snps: correct struct qcom_snps_hsphy kerneldoc - phy: qcom-snps-femto-v2: keep cfg_ahb_clk enabled during runtime suspend - phy: qcom-snps-femto-v2: properly enable ref clock - soundwire: qcom: update status correctly with mask - media: staging: atomisp: select V4L2_FWNODE - i40e: Fix an NULL vs IS_ERR() bug for debugfs_create_dir() - iavf: fix potential deadlock on allocation failure - iavf: check for removal state before IAVF_FLAG_PF_COMMS_FAILED - net: phy: marvell10g: fix 88x3310 power up - net: hns3: fix wrong tc bandwidth weight data issue - net: hns3: fix wrong bw weight of disabled tc issue - vxlan: move to its own directory - vxlan: calculate correct header length for GPE - phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe() - ethernet: atheros: fix return value check in atl1e_tso_csum() - ipv6 addrconf: fix bug where deleting a mngtmpaddr can create a new temporary address - ice: Fix memory management in ice_ethtool_fdir.c - bonding: reset bond's flags when down link is P2P device - team: reset team's flags when down link is P2P device - net: stmmac: Apply redundant write work around on 4.xx too - platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100 - igc: Fix Kernel Panic during ndo_tx_timeout callback - netfilter: nft_set_rbtree: fix overlap expiration walk - net/sched: mqprio: refactor nlattr parsing to a separate function - net/sched: mqprio: add extack to mqprio_parse_nlattr() - net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64 - benet: fix return value check in be_lancer_xmit_workarounds() - tipc: check return value of pskb_trim() - tipc: stop tipc crypto on failure in tipc_node_create - RDMA/mlx4: Make check for invalid flags stricter - drm/msm/dpu: drop enum dpu_core_perf_data_bus_id - drm/msm/adreno: Fix snapshot BINDLESS_DATA size - RDMA/irdma: Add missing read barriers - RDMA/irdma: Fix data race on CQP completion stats - RDMA/irdma: Fix data race on CQP request done - RDMA/mthca: Fix crash when polling CQ for shared QPs - RDMA/bnxt_re: Prevent handling any completions after qp destroy - drm/msm: Fix IS_ERR_OR_NULL() vs NULL check in a5xx_submit_in_rb() - ASoC: fsl_spdif: Silence output on stop - block: Fix a source code comment in include/uapi/linux/blkzoned.h - dm raid: fix missing reconfig_mutex unlock in raid_ctr() error paths - dm raid: clean up four equivalent goto tags in raid_ctr() - dm raid: protect md_stop() with 'reconfig_mutex' - drm/amd: Fix an error handling mistake in psp_sw_init() - RDMA/irdma: Report correct WC error - ata: pata_ns87415: mark ns87560_tf_read static - ring-buffer: Fix wrong stat of cpu_buffer->read - tracing: Fix warning in trace_buffered_event_disable() - Revert "usb: gadget: tegra-xudc: Fix error check in tegra_xudc_powerdomain_init()" - usb: gadget: call usb_gadget_check_config() to verify UDC capability - USB: gadget: Fix the memory leak in raw_gadget driver - KVM: Grab a reference to KVM for VM and vCPU stats file descriptors - KVM: VMX: Don't fudge CR0 and CR4 for restricted L2 guest - serial: qcom-geni: drop bogus runtime pm state update - serial: 8250_dw: Preserve original value of DLF register - serial: sifive: Fix sifive_serial_console_setup() section - USB: serial: option: support Quectel EM060K_128 - USB: serial: option: add Quectel EC200A module support - USB: serial: simple: add Kaufmann RKS+CAN VCP - USB: serial: simple: sort driver entries - can: gs_usb: gs_can_close(): add missing set of CAN state to CAN_STATE_STOPPED - Revert "usb: dwc3: core: Enable AutoRetry feature in the controller" - usb: dwc3: pci: skip BYT GPIO lookup table for hardwired phy - usb: dwc3: don't reset device side if dwc3 was configured as host-only - usb: ohci-at91: Fix the unhandle interrupt when resume - USB: quirks: add quirk for Focusrite Scarlett - usb: cdns3: fix incorrect calculation of ep_buf_size when more than one config - usb: xhci-mtk: set the dma max_seg_size - Revert "usb: xhci: tegra: Fix error check" - Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group - Documentation: security-bugs.rst: clarify CVE handling - staging: r8712: Fix memory leak in _r8712_init_xmit_priv() - staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() - tty: n_gsm: fix UAF in gsm_cleanup_mux - Revert "xhci: add quirk for host controllers that don't update endpoint DCS" - ALSA: hda/relatek: Enable Mute LED on HP 250 G8 - hwmon: (k10temp) Enable AMD3255 Proc to show negative temperature - hwmon: (nct7802) Fix for temp6 (PECI1) processed even if PECI1 disabled - btrfs: check if the transaction was aborted at btrfs_wait_for_commit() - btrfs: check for commit error at btrfs_attach_transaction_barrier() - file: always lock position for FMODE_ATOMIC_POS - nfsd: Remove incorrect check in nfsd4_validate_stateid - tpm_tis: Explicitly check for error code - irq-bcm6345-l1: Do not assume a fixed block to cpu mapping - irqchip/gic-v4.1: Properly lock VPEs when doing a directLPI invalidation - locking/rtmutex: Fix task->pi_waiters integrity - KVM: x86: Disallow KVM_SET_SREGS{2} if incoming CR0 is invalid - virtio-net: fix race between set queues and probe - s390/dasd: fix hanging device after quiesce/resume - ASoC: wm8904: Fill the cache for WM8904_ADC_TEST_0 register - ceph: never send metrics if disable_send_metrics is set - dm cache policy smq: ensure IO doesn't prevent cleaner policy progress - rbd: make get_lock_owner_info() return a single locker or NULL - rbd: harden get_lock_owner_info() a bit - rbd: retrieve and check lock owner twice before blocklisting - tracing: Fix trace_event_raw_event_synth() if else statement - ACPI: processor: perflib: Use the "no limit" frequency QoS - ACPI: processor: perflib: Avoid updating frequency QoS unnecessarily - cpufreq: intel_pstate: Drop ACPI _PSS states table patching - selftests: mptcp: sockopt: use 'iptables-legacy' if available - io_uring: treat -EAGAIN for REQ_F_NOWAIT as final for io-wq - ASoC: cs42l51: fix driver to properly autoload with automatic module loading - selftests: mptcp: join: only check for ip6tables if needed - Linux 5.15.124 * Jammy update: v5.15.123 upstream stable release (LP: #2034612) - ALSA: hda/realtek - remove 3k pull low procedure - ALSA: hda/realtek: Add quirk for Clevo NS70AU - ALSA: hda/realtek: Enable Mute LED on HP Laptop 15s-eq2xxx - keys: Fix linking a duplicate key to a keyring's assoc_array - perf probe: Add test for regression introduced by switch to die_get_decl_file() - btrfs: fix warning when putting transaction with qgroups enabled after abort - fuse: revalidate: don't invalidate if interrupted - btrfs: zoned: fix memory leak after finding block group with super blocks - fuse: ioctl: translate ENOSYS in outarg - selftests: tc: set timeout to 15 minutes - selftests: tc: add 'ct' action kconfig dep - regmap: Drop initial version of maximum transfer length fixes - regmap: Account for register length in SMBus I/O limits - can: bcm: Fix UAF in bcm_proc_show() - selftests: tc: add ConnTrack procfs kconfig - drm/client: Fix memory leak in drm_client_target_cloned - drm/client: Fix memory leak in drm_client_modeset_probe - drm/amd/display: Disable MPC split by default on special asic - drm/amd/display: Keep PHY active for DP displays on DCN31 - ASoC: fsl_sai: Disable bit clock with transmitter - ASoC: codecs: wcd938x: fix missing clsh ctrl error handling - ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove - ASoC: codecs: wcd938x: fix resource leaks on component remove - ASoC: codecs: wcd938x: fix missing mbhc init error handling - ASoC: codecs: wcd934x: fix resource leaks on component remove - ASoC: codecs: wcd938x: fix codec initialisation race - ASoC: codecs: wcd938x: fix soundwire initialisation race - ext4: correct inline offset when handling xattrs in inode body - drm/radeon: Fix integer overflow in radeon_cs_parser_init - ALSA: emu10k1: roll up loops in DSP setup code for Audigy - quota: Properly disable quotas when add_dquot_ref() fails - quota: fix warning in dqgrab() - udf: Fix uninitialized array access for some pathnames - fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev - MIPS: dec: prom: Address -Warray-bounds warning - FS: JFS: Fix null-ptr-deref Read in txBegin - FS: JFS: Check for read-only mounted filesystem in txBegin - spi: bcm63xx: fix max prepend length - fbdev: imxfb: warn about invalid left/right margin - perf build: Fix library not found error when using CSLIBS - pinctrl: amd: Use amd_pinconf_set() for all config options - net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()/cpsw_ale_set_field() - bridge: Add extack warning when enabling STP in netns. - ethernet: use eth_hw_addr_set() instead of ether_addr_copy() - of: net: add a helper for loading netdev->dev_addr - ethernet: use of_get_ethdev_address() - net: ethernet: mtk_eth_soc: handle probe deferral - net: sched: cls_bpf: Undo tcf_bind_filter in case of an error - iavf: Fix use-after-free in free_netdev - iavf: Fix out-of-bounds when setting channels on remove - security: keys: Modify mismatched function name - octeontx2-pf: Dont allocate BPIDs for LBK interfaces - bpf: Fix subprog idx logic in check_max_stack_depth - igc: Prevent garbled TX queue with XDP ZEROCOPY - tcp: annotate data-races around tcp_rsk(req)->ts_recent - net: ipv4: Use kfree_sensitive instead of kfree - net:ipv6: check return value of pskb_trim() - Revert "tcp: avoid the lookup process failing to get sk in ehash table" - fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe - llc: Don't drop packet from non-root netns. - netfilter: nf_tables: fix spurious set element insertion failure - netfilter: nf_tables: skip bound chain in netns release path - tcp: annotate data-races around tp->tcp_tx_delay - tcp: annotate data-races around tp->keepalive_time - tcp: annotate data-races around tp->keepalive_intvl - tcp: annotate data-races around tp->keepalive_probes - tcp: annotate data-races around icsk->icsk_syn_retries - tcp: annotate data-races around tp->linger2 - tcp: annotate data-races around rskq_defer_accept - tcp: annotate data-races around tp->notsent_lowat - tcp: annotate data-races around icsk->icsk_user_timeout - tcp: annotate data-races around fastopenq.max_qlen - net: phy: prevent stale pointer dereference in phy_init() - jbd2: recheck chechpointing non-dirty buffer - tracing/histograms: Return an error if we fail to add histogram to hist_vars list - nixge: fix mac address error handling again - Linux 5.15.123 * allow io_uring to be disabled in runtime (LP: #2035116) - io_uring: add a sysctl to disable io_uring system-wide * CVE-2023-31083 - Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO * CVE-2023-3772 - xfrm: add NULL check in xfrm_update_ae_params * Packaging resync (LP: #1786013) - [Packaging] update helper scripts -- Roxana Nicolescu